CERTainly a cock up

Written by:

Date Posted:

Category:

There’s been a bit of a hoo ha about SSL certs this week. What happened is a bit complicated, so I’ll try and break it down.

tl;dr The CEO of a SSL reseller emailed 23,000 private keys and all those certs were revoked. D’oh.

OK, hunker down. Here we go.

Resellers Picture the scene. Croydon. February. Cert flogger Trustico sold SSL/TLS certificate to website owners to encrypt their sites. Jolly good so far. They resold Symantec, GeoTrust, Thawte and RapidSSL. (These are all owned by DigiCert).

So if you want a RapidSSL certificate, Trustico would happily sell you one.

CERTainly Not!

Jeremy Rowley, the Chief Product Officer for DigiCert said that Trustico had fessed up in February that it had been compromised.

Private keys? The techies at DigiCert asked him for more info about this blunder and the CEO thought it’d be cool just to email over a file with the private keys to 23,000 certificates. Oh no he didn’t! Oh yes he did.

DigiCert then invoked some rule or other about something to do with website security which meant all 23,000 certs had to be revoked because the CEO is a numpty (not the actual clause, but you get the gist).

DigiCert then sent out urgent emails to all the RapidSSL buyers from Trustico telling them they had 24 hours to get a new cert or watch their online businesses crumble before their very eyes.

Trustico were jolly annoyed about all this. And Zane Lucas who claims to be a product manager at the security challenged reseller moaned on a Mozilla security policy newsgroup about it all.

No approval In what was clearly a bit of a rant he snarled: “We didn’t authorise DigiCert to contact our customers and we didn’t approve the content of their email”

Oh diddums.

He reckoned that there was nothing wrong with them. His CEO emailed them off and it was at THAT point they were compromised. Chinny reckon.